Google has started implementing major policy, contractual, and product changes in preparation for the soon-to-be-enforceable General Data Protection Regulation (GDPR). The changes largely reflect Google’s status as either data controller or processor in regards to their products; sets out your responsibilities in light of the new legal requirements and includes product and network modifications.
Policy updates
Google’s EU User Consent Policy is being updated to better reflect the new legal requirements. Central to these policy changes is the statement of your responsibilities in regards to disclosures to and obtaining consent from EEA users.
In regards to sites/ apps or other “properties” under your control that make use of Google services, you are required to:
- acquire legally valid consent from end users for the use of cookies or other local storage (where legally required);
- acquire legally valid consent for the processing of personal data for ads personalization of ads or remarketing services;
- keep records of consent given by end users;
- provide end users with clear instructions for the withdrawal of consent; and
- identify and disclose details of all third-parties involved in the processing of the personal data of end users, in an easily accessible and visible way
Google has stated that failure to comply may lead to limited or suspended accounts and/termination of your agreement.
Contract changes
Google is including the new GDPR terms as a supplement to your contract with Google. These modifications will come into force on 25 May 2018.
Currently, these contract changes will affect AdWords, DoubleClick, and the Google Analytics suite. The terms will be incorporated into your terms of service (also known as the terms and conditions) agreement with Google and you may be required to log-in and accept the new terms in your account if you haven’t already.
Product changes
In order to comply with the GDPR, Google is making product changes across their global network of publisher sites, which:
- give publishers the ability to select which third-party ads get displayed to their end users and give them the ability to show non-personalized ads;
- limit the processing of personal information for children under the GDPR Age of Consent;
The company has also stated that they are “exploring consent solutions for publishers” and launching new controls that give Google Analytics customers the ability to manage the storage and deletion of their data.
Update:You can read more about the specific changes to Google Analytics and Analytics 360 here.
Here’s the full email text from Google:
Dear Customer, Over the past year we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on 25 May 2018. The GDPR affects European and non-European businesses using online advertising and measurement solutions when their sites and apps are accessed by users in the European Economic Area (EEA). Today we are sharing more about our preparations for the GDPR – including our updated EU User Consent Policy, changes to our contract terms, and changes to our products, to help both you and Google meet the new requirements. Updated EU User Consent Policy Google’s EU User Consent Policy is being updated to reflect the new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consents from, end users in the EEA. For example, under that policy, advertisers will be required to obtain consent from users for the collection of data for personalized ads (e.g. remarketing tags to build audience lists) and for the use of cookies where legally required (e.g. conversion tags). The policy is incorporated into the contracts for most Google ads and measurement products globally. Contract changes We have been rolling out updates to our contracts for many products since last August, reflecting Google’s status as either a processor or a controller under the new law (see full classification of our Ads products). The new GDPR terms supplement your contract with Google and will come into force on 25 May 2018.
- For AdWords customers globally, our GDPR terms are incorporated into the terms of service, which (if you’ve not done so already) you can accept in your account. In the case of AdWords Customer Match and Store Sales Direct, Google acts as a processor; for the rest of AdWords we act as a controller.
- For customers using DoubleClick and the Google Analytics (GA) Suite, processor terms are available for you to review and accept from within your account. If you are an EEA client of GA, data processing terms will be included in your terms shortly. GA customers based outside EEA and all GA 360 customers may accept the terms from within GA.
- If you don’t contract with Google for your use of Google products, you should seek advice from the parties with whom you contract.
Product changes To comply, and support your compliance with GDPR, we are:
- Making some changes across the network of publisher sites on which your ads may appear – enabling publishers to show non-personalised ads and to select which third parties measure and serve ads for EEA users on their sites and apps.
- Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
- Unifying our ads data retention practices; and launching new controls for Google Analytics customers to manage the retention and deletion of their data.
- Exploring consent solutions for publishers, including working with industry groups like IAB Europe.
Find out more You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms and data controller terms. If you have any questions about this update, please don’t hesitate to reach out to your account team or contact us through the Help Center. We will continue to share further information on our plans in the coming weeks. Sincerely,
The Google Team
Here’s what you can do right now to comply with Google’s GDPR-based consent policy requirements:
- Put in place on your site/ app an easily-accessible, comprehensive privacy policy which includes details on how you process end-user data, for which purposes and who else has access. Be sure to include each third-party service used with links to their policies where possible and detail their involvement in the processing (you can do this with just a few clicks via our privacy policy solution)
- Implement a method of obtaining verifiable and valid consent. For consent to be valid, it must be informed, freely-given and verifiable. This means that your end users should know precisely and honestly, exactly what they’re consenting to and the consent must be based on an explicit affirmative uncoerced action.
Here’s an example of a method of acquiring valid consent for the processing of personal data for ads: Yes, I would like the ads I view to be personalized. I have read the privacy policy and understand the requirements for this function (optional).
- Implement a “cookie consent solution” that allows you to obtain valid, verifiable explicit consent BEFORE installing cookies on the end users’ device. Our cookie solution simplifies this process -end users are informed via a customizable cookie banner; active consent is facilitated via either clicking or scrolling, and user consent settings are remembered.
- Keep clear records of the consent attained. Your records of consent should at least include the identity of the user giving consent; when they consented; what disclosures were made (what they were told) at the time they consented; methods used for obtaining consent (e.g., newsletter form, during checkout etc.); whether they have withdrawn consent or not.
Looking for more in-depth information on the GDPR? You’re welcome to join us at our up-coming webinar. It’s free to attend and you can have your most pressing questions answered. You can use this link to sign-up NOW as our webinars often fill up quickly.
iubenda helps you with the generation of your privacy policy and a fully fledged cookie management system (Cookie Solution)